This is an automated email from the ASF dual-hosted git repository. martijnvisser pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/flink-web.git
commit 59131495a71512e89e655a574f764410a5714497 Author: Martijn Visser <mvis...@confluent.io> AuthorDate: Tue Sep 19 12:53:25 2023 +0200 Update Security pages and Statefun 3.3.0 release announcement to include details about CVE-2023-41834 --- docs/content.zh/security.md | 12 ++++++++++++ docs/content/posts/2023-09-19-release-statefun-3.3.0.md | 13 +++++++++++++ docs/content/security.md | 12 ++++++++++++ 3 files changed, 37 insertions(+) diff --git a/docs/content.zh/security.md b/docs/content.zh/security.md index 1498e705a..acdef0e2b 100644 --- a/docs/content.zh/security.md +++ b/docs/content.zh/security.md @@ -72,6 +72,18 @@ This section lists fixed vulnerabilities in Flink. Users are advised to upgrade to Flink 1.11.3 or 1.12.0 or later versions. </td> </tr> + <tr> + <td> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41834">CVE-2023-41834</a> + </td> + <td> + Flink Stateful Functions 3.1.0, 3.1.1, 3.2.0 + </td> + <td> + <a href="https://github.com/apache/flink-statefun/commit/b06c0a23a5a622d48efc8395699b2e4502bd92be">Fixed in commit b06c0a23a5a622d48efc8395699b2e4502bd92be</a> <br> + Users are advised to upgrade to Flink Stateful Functions 3.3.0 or later versions. + </td> + </tr> </table> diff --git a/docs/content/posts/2023-09-19-release-statefun-3.3.0.md b/docs/content/posts/2023-09-19-release-statefun-3.3.0.md index 39051c4a9..b0985e0cb 100644 --- a/docs/content/posts/2023-09-19-release-statefun-3.3.0.md +++ b/docs/content/posts/2023-09-19-release-statefun-3.3.0.md @@ -23,6 +23,19 @@ or [JIRA](https://issues.apache.org/jira/browse/FLINK)! ## New Features +### Fixed CVE-2023-41834 + +Stateful Functions versions 3.1.0, 3.1.1 and 3.2.0 allowed HTTP header +injection due to Improper Neutralization of CRLF Sequences. Attackers could +potentially inject malicious content into the HTTP response that is +sent to the user. This could include injecting a fake login form or +other phishing content, or injecting malicious JavaScript code that +can steal user credentials or perform other malicious actions on the +user's behalf. + +Stateful Functions 3.3.0 has fixed this security vulnerability. More details can be found on the +[Security]({{< relref "security" >}}) page. + ### Upgraded Flink dependency to 1.16.2 Stateful Functions 3.3.0 runtime uses Flink 1.16.2 underneath. diff --git a/docs/content/security.md b/docs/content/security.md index 1498e705a..acdef0e2b 100644 --- a/docs/content/security.md +++ b/docs/content/security.md @@ -72,6 +72,18 @@ This section lists fixed vulnerabilities in Flink. Users are advised to upgrade to Flink 1.11.3 or 1.12.0 or later versions. </td> </tr> + <tr> + <td> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41834">CVE-2023-41834</a> + </td> + <td> + Flink Stateful Functions 3.1.0, 3.1.1, 3.2.0 + </td> + <td> + <a href="https://github.com/apache/flink-statefun/commit/b06c0a23a5a622d48efc8395699b2e4502bd92be">Fixed in commit b06c0a23a5a622d48efc8395699b2e4502bd92be</a> <br> + Users are advised to upgrade to Flink Stateful Functions 3.3.0 or later versions. + </td> + </tr> </table>